File and Hash Threat Intel | TryHackMe Writeup

Dive into file threat intelligence.

No answer needed

One file displays one of the indicators mentioned. Can you identify the file and the indicator? (Answer: file, property)

payroll.pdf, Double extensions

2.1 What is the SHA256 hash of the file bl0gger?

2672B6688D7B32A90F9153D2FF607D6801E6CBDE61F509ED36D0450745998D58

2.2 On VirusTotal, what is the threat label used to identify the malicious file?

trojan.graftor/flystudio

2.3 When was the file first submitted for analysis? (Answer format: YYYY-MM-DD HH:MM:SS)

2025-05-15 12:03:49

2.4 According to MalwareBazaar, which vendor classified the Morse-Code-Analyzer file as non-malicious?

CyberFortress

2.5 On VirusTotal, what MITRE technique has been flagged for persistence and privilege escalation for the Morse-Code-Analyzer file?

DLL Side-Loading

3.1 What tags are used to identify the bl0gger.exe malicious file on Hybrid Analysis? (Answer: Tag1, Tag2, Tag3)

BlackMoon, Discovery, windows-server-utility

3.2 What was the stealth command line executed from the file?

regsvr32 %WINDIR%\Media\ActiveX.ocx /s

3.3 Which other process was spawned according to the process tree?

werfault.exe

3.4 The payroll.pdf application seems to be masquerading as which known Windows file?

svchost.exe

3.5 What associated URL is linked to the file?

hxxp://121.182.174.27:3000/server.exe

3.6 How many extracted strings were identified from the sandbox analysis of the file?

454

4.1 What is the SHA256 hash of the file?

43B0AC119FF957BB209D86EC206EA1EC3C51DD87BEBF7B4A649C7E6C7F3756E7

4.2 What family labels are assigned to the file on VirusTotal?

akira, filecryptor

4.3 How many security vendors have flagged the file as malicious?

61 (Has changed now)

4.4 Name the text file dropped during the execution of the malicious file.

akira_readme.txt

4.5 What PowerShell script is observed to be executed?

Get-WmiObject Win32_Shadowcopy | Remove-WmiObject

4.6 What is the MITRE ATT&CK ID associated with this execution?

T1490